The Microsoft Application Verifier is a tool that allows developers to verify code for errors at runtime. The tool ships with all Windows versions and works by loading a DLL inside the application developers want to check. Cybellum researchers discovered that developers could load their own "verifier DLL" instead of the one provided by the official Microsoft Application Verifier.
Simply by creating a Windows Registry key, an attacker could name the application he wants to hijack and then provide his own rogue DLL he'd like injected into a legitimate process.

Several antivirus makers affected

Cybellum researchers say that most of today's security products are susceptible to DoubleAgent attacks. The list of affected products includes:

The DoubleAgent attack is extremely dangerous, as it hijacks the security product, effectively disabling it. Depending on an attacker's skill level, he could use the DoubleAgent flaw to load malicious code that:

Turns the security product off

Makes the security product blind to certain malware/attacks

Uses the security product as a proxy to launch attacks on the local computer/network

Elevates the user privilege level of all malicious code (security products typically run with the highest privileges)

Use the security product to hide malicious traffic or exfiltrate data

Damage the OS or the computer

Cause a Denial of Service

By design, the DoubleAgent attack is both a code injection technique and a persistence mechanism, as it allows an attacker to re-inject the malicious DLL inside a targeted process after each boot, thanks to the registry key.

Level 29

I'm curious of a couple things.
1. How results on detection for this file in the Malware Hub.
2. See images of other infected AVs besides Norton. (The malware UIs injected into Malwarebytes, Avast, ect.

I would say more. AV's are becoming obsolete with tools like VodooShield or AppGuard and the only problem is that the majority of the people cannot understand how those tools are working and they completely rely on AV's and disable their common sense. Our mission is to educate people around us and show them alternatives for highly overrated security suites.
Default-deny and good browsing habits are the best security combo.

Level 25

About the signatures we have already written rivers of words.
Behavior blocker can sometimes prove to be unable to counteract some of the new malware that regularly appear. Let's take an example: suppose that a X vendor has developed a behavior blocker can detect 100% of the current malware in circulation. What would be the reaction of the malcoders in the circumstances? For sure they would invent a method completely different to be able to infect the computer victim, invisible to this BB. At this point, this BB would need to see urgent updates for its rules for the recognition of behaviors.
But malwriters can constantly find new ways to circumvent the protective action of the new updates. In the end, inevitably, and probably we will see the same situation as the signatures scanning; in fact, the signatures of the malware may be in the form of “behaviours”, instead of “code fragments”.
Default Deny/Lockdown Mode would be a more manageable condition.

Level 10

"Shortly"; it is a endless war! But "they" found sooner or later vulnerabilities when you power on your PC (if they want). As guru's has already saying, there's no 100% bulletproof security. But you can reduce the risk like default deny lockdown / CF (cs-settings) etc. And last but not least common sense & safe habits!. Well as all the thing in the world, they who have more money have more power! It's a cruel world. But there are always people behind the "curtain" who wanna play a game & that game is endless!

Moderator

About the signatures we have already written rivers of words.
Behavior blocker can sometimes prove to be unable to counteract some of the new malware that regularly appear. Let's take an example: suppose that a X vendor has developed a behavior blocker can detect 100% of the current malware in circulation. What would be the reaction of the malcoders in the circumstances? For sure they would invent a method completely different to be able to infect the computer victim, invisible to this BB. At this point, this BB would need to see urgent updates for its rules for the recognition of behaviors.
But malwriters can constantly find new ways to circumvent the protective action of the new updates. In the end, inevitably, and probably we will see the same situation as the signatures scanning; in fact, the signatures of the malware may be in the form of “behaviours”, instead of “code fragments”.
Default Deny/Lockdown Mode would be a more manageable condition.

I think we need all 3:
- common sense and more security awareness, information
- Default Deny/Lockdown Mode
-BB: the more they improve the less ways will be available to hide from them/more difficult it will be to bypass them.

Level 12

Hi Guys,
It's Michael from Cybellum here.
First of all I would like to give a lot of credit to Comodo as it was one of the most challenging antiviruses to attack with DoubleAgent.
Comodo implemented a very interesting feature called CIS Protected Registry Keys which in fact was supposed to block DoubleAgent-like attacks.

We struggled at the beginning and indeed Comodo managed to block most attempts to attack it via DoubleAgent.
It was tricky, but eventually we succeeded, and Comodo is vulnerable to DoubleAgent just like all the other antiviruses.

I took the time and effort to upload a POC video showing DoubleAgent successfully attacking Comodo

This video was done a few minutes ago, so it obviously affects the latest version of Comodo.

The Comodo attack is the only one that doesn't use our publicly available POC code, but rather a different private code.
We decided not to share the private code in order to protect Comodo users, but Egemen (from Comodo) have received it and is aware of it.
Egemen has done a great work communicating with us, and hopefully a new patch would be released soon to close Comodo's vulnerability to DoubleAgent.

Correct. The PoC we have is a new COMODO specific issue which can allow attacker to do a few things with default configuration. Default config needs to be slightly changed. See below for configuration changes to cover this PoC as well.

We use cookies to improve your browsing experience on our site, show personalized content and targeted ads, analyze site traffic, and understand where our audience is coming from.
By continuing to use this site, you are consenting to our use of cookies.